iSeries Security - Enforcive

The security concepts of the IBM i are rooted in the OS/400 operating system, known today as i/OS. Despite, regular changes in IBM's midrange line name, iSeries seems to be the product name which has remained strongest in most people's minds and today probably enjoys the most widespread use.

There are many reasons for introducing and maintaining satisfactory security measures on an iSeries or any other computer system. The traditional threats such as theft of sensitive data from outside sources and safety against accidental harm from inside the organization have been joined by the danger of malicious activity from within and outside of the organization that, if carried out effectively, can disrupt a company and its business processes. Another requirement, characterizing awareness in the 21st century, is the need to protect against manipulation of data by members of the company, and to provide adequate means of auditing.

The most basic security essentials of iSeries security are rooted in the user and object definitions and relationship between the two. Each user on the system is created with a unique user profile which contains many parameters dictating the operational rights of that user on the iSeries computer.

Of the many parameters making up the user profile, the three most notable from the point of view of security are ‘limit capabilities', ‘special authorities' and ‘initial program, or menu'. Each of these permits or denys different forms of access to various functions available to manipulate the system. ‘Limit capabilities' has a bearing on other user profile security parameters. It can be used to prevent the system command line from being shown to the user and so prevents him from entering commands, including those controlling iSeries security. It can also prevent the changing of the ‘current library', effectively forcing the user to work within a set working environment.

Special authority is a parameter that can contain one or more values, each pertaining to a specific set of powers. The most powerful of these is ‘all object authority' (*ALLOBJ). A user with all object authority can access any object on the system, without specific permission having been given. However, even though ‘all object' allows access to any object, the system software for iSeries security requires that other authorities are required to manipulate certain objects. The powerful security administrator (*SECADM) authority is that which allows a user to manage profiles of other users. Other special authorities allow access to job and printer management, system auditing definitions and HTTP configuration.

Initial program and menu are used to route the user, following entry to the system, to an initialization program and/or to a specific menu from which the user will work.

The second major component in the iSeries security infrastructure is the object and the user permissions which have been applied to it. Each object has an owner (initially the user who created) it and optionally, other users who have been granted permissions to use it. These additional users have access rights defined for various groups of activities on the object, including management activities like moving, copying, renaming and deleting and usage of the information contained in the object such as running (in the case of a program object), reading and updating (in the case of data). These permissions bind all users except those possessing all object authority.

Management of user profiles and object authorities can be simplified, as can other iSeries security tasks (iSeries Audit for example), with a product built for administrators with or without extensive knowledge of the iSeries operating system and security functionality

With Enforcive/Enterprise Security, security on your iSeries is improved in the following way:

• iSeries security is simplified with intuitive GUI tools to administer complex tasks simply.
• Security is enhanced with the addition of many unique protection, monitoring and iSeries security audit capabilities, not found in the OS/400 operating system.

Your organization will be better equipped to stand up against iSeries security threats and to meet compliance requirements.

For more information on iSeries security, Enforcive iSeries Security software and other data security software products, please contact us today, or leave us your details.

See also

• Enforcive/Enterprise Security - comprehensive, integrated iSeries security solution
• iSeries SQL
• Product Demo
• Resellers Worldwide